System and Computer Program Product for Fair, Secure N-Party Computation Using At Least One Blockchain

ABSTRACT

Described are a system and computer program product for secure n-party computation. The system includes a computing device programmed or configured to communicate an input to a trusted execution environment (TEE), and receive a first encrypted output. The computing device is also programmed or configured to post the first encrypted output on a blockchain and receive a first proof of publication. The computing device is further programmed or configured to communicate the first proof of publication to the TEE and receive the first function output of the n-party computation. The computing device is further programmed or configured to communicate a witness to the TEE and receive a second encrypted output. The computing device is further programmed or configured to post the second encrypted output on the blockchain, receive a second proof of publication, communicate the second proof of publication to the TEE, and receive the second function output.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No. 17/104,520, filed Nov. 25, 2020, titled “System and Method for Fair, Secure N-Party Computation Using At Least One Blockchain,” which claims priority to U.S. Provisional Patent Application No. 62/941,045, filed on Nov. 27, 2019, titled “System, Method, and Computer Program Product for Fair, Secure N-Party Computation Using At Least One Blockchain”, the disclosures of which are incorporated by reference herein in their entireties.

BACKGROUND 1. Technical Field

Disclosed embodiments or aspects relate generally to fair exchange computer protocols and, in one particular embodiment or aspect, to a system, method, and computer program product for secure n-party computation having fair output delivery using a bulletin board abstraction.

2. Technical Considerations

Secure multiparty computation (MPC) allows a set of parties to perform a joint computation on their inputs that reveals only the final output and nothing else. These parties may be mutually distrusting and require a secure protocol to ensure a fair exchange. Secure computation, however, often cannot provide fairness in settings where many (e.g., a majority, a plurality, half, and/or the like) of the participants are corrupt (e.g., dishonest actors). For instance, in a two-party setting, a malicious party can abort a secure computation protocol after receiving the output, leaving the other party no recourse to obtain the output. Additionally, in some settings, not all parties to may have access to necessary resources (e.g., access to a trusted execution environment, access to one or more blockchains, and/or the like). Additionally, use of a third party as an intermediary for such multiparty computations may waste resources in terms of the number of parties involved, the number of communications needed, and/or the like, and it may be possible for the third party to collude with one of the parties, thereby threatening security and fairness. There is a need to address these and other deficiencies of secure computation.

SUMMARY

Accordingly, provided is an improved system, method, and computer program product for secure n-party (e.g., n>1) computation.

According to some non-limiting embodiments or aspects, provided is a method that may include communicating, with a first computing device, a first input of an n-party computation to a trusted execution environment (TEE). The method also may include receiving, with the first computing device from the TEE, at least one first encrypted output comprising a first function output of the n-party computation encrypted with at least one public key of at least one other computing device. The first function output of the n-party computation may be determined based on the first input and at least one second input from the at least one other computing device. The method may further include posting, with the first computing device, the at least one first encrypted output on at least one blockchain accessible by the at least one other computing device. The at least one first encrypted output may be decryptable using at least one private key of the at least one other computing device to obtain the first function output of the n-party computation. The method may further include, in response to posting the at least one first encrypted output on the at least one blockchain, receiving, with the first computing device, at least one first proof of publication. The method may further include communicating, with the first computing device, the at least one first proof of publication to the TEE. The method may further include, receiving, with the first computing device, the first function output of the n-party computation from the TEE.

In some non-limiting embodiments or aspects, the method may include communicating, with the first computing device, a witness of a witness encryption scheme to the TEE. The method may also include receiving, with the first computing device, at least one second encrypted output including a second function output encrypted with the at least one public key of the at least one other computing device. The second function output may be determined based on the first input, the at least one second input, and the witness. The method may further include posting, with the first computing device, the at least one second encrypted output on the at least one blockchain. The at least one second encrypted output may be decryptable using the at least one private key to obtain the second function output. The method may further include, in response to posting the at least one second encrypted output on the at least one blockchain, receiving, with the first computing device, at least one second proof of publication. The method may further include communicating, with the first computing device, the at least one second proof of publication to the TEE. The method may further include receiving, with the first computing device, the second function output from the TEE.

In some non-limiting embodiments or aspects, the first computing device and the at least one other computing device may be permissioned by a consortium to access the at least one blockchain. The first computing device may be configured with at least read access and write access to the at least one blockchain, and the second computing device may be configured with at least read access to the at least one blockchain.

In some non-limiting embodiments or aspects, the first function output may include a signature of a data object generated based on the first input and the at least one second input. The first input may include a first signature key associated with the first computing device and the at least one second input may include at least one second signature key associated with the at least one other computing device.

In some non-limiting embodiments or aspects, the first computing device may be configured to communicate with the TEE in a first secure communication channel, in which only the TEE is permitted to read communications from the first computing device to the TEE.

According to some non-limiting embodiments or aspects, provided is a computer-implemented method that may include receiving, with a trusted execution environment (TEE), a first input from a first computing device and at least one second input from at least one other computing device. The method also may include generating, with the TEE, a first function output of an n-party computation based on the first input and the at least one second input. The method may further include encrypting, with the TEE, the first function output of the n-party computation using at least one public key of the at least one other computing device to produce at least one first encrypted output. The method may further include communicating, with the TEE, the at least one first encrypted output to the first computing device. The method may further include receiving, with the TEE from the first computing device, at least one first proof of publication associated with the at least one first encrypted output being posted to at least one blockchain accessible by the at least one other computing device. The method may further include, in response to receiving the at least one first proof of publication from the first computing device, communicating, with the TEE, the first function output of the n-party computation to the first computing device.

In some non-limiting embodiments or aspects, the method may include receiving, with the TEE, a witness of a witness encryption scheme from the first computing device. The method may include generating, with the TEE, a second function output based on the first input, the at least one second input, and the witness. The method may further include encrypting, with the TEE, the second function output using the at least one public key to produce at least one second encrypted output. The method may further include communicating, with the TEE, the at least one second encrypted output to the first computing device. The method may further include receiving, with the TEE from the first computing device, at least one second proof of publication associated with the at least one second encrypted output being posted to the at least one blockchain. The method may further include, in response to receiving the at least one second proof of publication from the first computing device, communicating, with the TEE, the second function output to the first computing device.

In some non-limiting embodiments or aspects, the method may include receiving, with the TEE from the at least one other computing device, the at least one first proof of publication. The method may also include, in response to receiving the at least one first proof of publication from the at least one other computing device, communicating, with the TEE, the first function output of the n-party computation to the at least one other computing device. The method may further include receiving, with the TEE from the at least one other computing device, the at least one second proof of publication. The method may further include, in response to receiving the at least one second proof of publication from the at least one other computing device, communicating, with the TEE, the second function output to the at least one other computing device.

In some non-limiting embodiments or aspects, the first function output may include a signature of a data object generated based on the first input and the at least one second input. The first input may include a first signature key associated with the first computing device and the at least one second input may include at least one second signature key associated with the at least one other computing device.

In some non-limiting embodiments or aspects, the TEE may be configured to communicate with the first computing device in a first secure communication channel, in which only the first computing device is permitted to read communications from the TEE to the first computing device. The TEE may be configured to communicate with the at least one other computing device in at least one other secure communication channel, in which only the at least one other computing device is permitted to read communications from the TEE to the at least one other computing device.

According to some non-limiting embodiments or aspects, provided is a system that may include a server including at least one processor operating a trusted execution environment (TEE). The at least one processor may be programmed and/or configured to receive a first input from a first computing device and at least one second input from at least one other computing device. The at least one processor may also be programmed and/or configured to generate a first function output of an n-party computation based on the first input and the at least one second input. The at least one processor may be further programmed and/or configured to encrypt the first function output of the n-party computation using at least one public key of the at least one other computing device to produce at least one first encrypted output. The at least one processor may be further programmed and/or configured to communicate the at least one first encrypted output to the first computing device. The at least one processor may be further programmed and/or configured to receive, from the first computing device, at least one first proof of publication associated with the at least one first encrypted output being posted to at least one blockchain accessible by the at least one other computing device. The at least one processor may be further programmed and/or configured to, in response to receiving the at least one first proof of publication from the first computing device, communicate the first function output of the n-party computation to the first computing device.

In some non-limiting embodiments or aspects, the at least one processor may be further programmed and/or configured to receive a witness of a witness encryption scheme from the first computing device. The at least one processor may be further programmed and/or configured to generate a second function output based on the first input, the at least one second input, and the witness. The at least one processor may be further programmed and/or configured to encrypt the second function output using the at least one public key to produce at least one second encrypted output. The at least one processor may be further programmed and/or configured to communicate the at least one second encrypted output to the first computing device. The at least one processor may be further programmed and/or configured to receive, from the first computing device, at least one second proof of publication associated with the at least one second encrypted output being posted to the at least one blockchain. The at least one processor may be further programmed and/or configured to, in response to receiving the at least one second proof of publication from the first computing device, communicate the second function output to the first computing device.

In some non-limiting embodiments or aspects, the system may include the first computing device. The first computing device and the at least one other computing device may be permissioned by a consortium to access the at least one blockchain. The first computing device may be configured with at least read access and write access to the at least one blockchain, and the second computing device may be configured with at least read access to the at least one blockchain.

In some non-limiting embodiments or aspects, the at least one processor may be further programmed and/or configured to receive, from the at least one other computing device, the at least one first proof of publication. The at least one processor may be further programmed and/or configured to, in response to receiving the at least one first proof of publication from the at least one other computing device, communicate the first function output of the n-party computation to the at least one other computing device. The at least one processor may be further programmed and/or configured to receive, from the at least one other computing device, the at least one second proof of publication. The at least one processor may be further programmed and/or configured to, in response to receiving the at least one second proof of publication from the at least one other computing device, communicate the second function output to the at least one other computing device.

In some non-limiting embodiments or aspects, the first function output may include a signature of a data object generated based on the first input and the at least one second input. The first input may include a first signature key associated with the first computing device and the at least one second input may include at least one second signature key associated with the at least one other computing device.

In some non-limiting embodiments or aspects, the server may be configured to communicate with the first computing device in a first secure communication channel, in which only the first computing device is permitted to read communications from the server to the first computing device. The server may be configured to communicate with the at least one other computing device in at least one other secure communication channel, in which only the at least one other computing device is permitted to read communications from the server to the at least one other computing device.

Other non-limiting embodiments or aspects of the present disclosure will be set forth in the following numbered clauses:

-   -   Clause 1: A computer-implemented method comprising:         communicating, with a first computing device, a first input of         an n-party computation to a trusted execution environment (TEE);         receiving, with the first computing device from the TEE, at         least one first encrypted output comprising a first function         output of the n-party computation encrypted with at least one         public key of at least one other computing device, the first         function output of the n-party computation determined based on         the first input and at least one second input from the at least         one other computing device; posting, with the first computing         device, the at least one first encrypted output on at least one         blockchain accessible by the at least one other computing         device, the at least one first encrypted output being         decryptable using at least one private key of the at least one         other computing device to obtain the first function output of         the n-party computation; in response to posting the at least one         first encrypted output on the at least one blockchain,         receiving, with the first computing device, at least one first         proof of publication; communicating, with the first computing         device, the at least one first proof of publication to the TEE;         and receiving, with the first computing device, the first         function output of the n-party computation from the TEE.     -   Clause 2: The method of clause 1, further comprising:         communicating, with the first computing device, a witness of a         witness encryption scheme to the TEE; receiving, with the first         computing device, at least one second encrypted output         comprising a second function output encrypted with the at least         one public key of the at least one other computing device, the         second function output determined based on the first input, the         at least one second input, and the witness; posting, with the         first computing device, the at least one second encrypted output         on the at least one blockchain, the at least one second         encrypted output being decryptable using the at least one         private key to obtain the second function output; in response to         posting the at least one second encrypted output on the at least         one blockchain, receiving, with the first computing device, at         least one second proof of publication; communicating, with the         first computing device, the at least one second proof of         publication to the TEE; and receiving, with the first computing         device, the second function output from the TEE.     -   Clause 3: The computer-implemented method of clause 1 or clause         2, wherein the first computing device and the at least one other         computing device are permissioned by a consortium to access the         at least one blockchain, wherein the first computing device is         configured with at least read access and write access to the at         least one blockchain, and the second computing device is         configured with at least read access to the at least one         blockchain.     -   Clause 4: The computer-implemented method of any of clauses 1-3,         wherein the first function output comprises a signature of a         data object generated based on the first input and the at least         one second input, wherein the first input comprises a first         signature key associated with the first computing device and the         at least one second input comprises at least one second         signature key associated with the at least one other computing         device.     -   Clause 5: The computer-implemented method of any of clauses 1-4,         wherein the first computing device is configured to communicate         with the TEE in a first secure communication channel, in which         only the TEE is permitted to read communications from the first         computing device to the TEE.     -   Clause 6: A computer-implemented method comprising: receiving,         with a trusted execution environment (TEE), a first input from a         first computing device and at least one second input from at         least one other computing device; generating, with the TEE, a         first function output of an n-party computation based on the         first input and the at least one second input; encrypting, with         the TEE, the first function output of the n-party computation         using at least one public key of the at least one other         computing device to produce at least one first encrypted output;         communicating, with the TEE, the at least one first encrypted         output to the first computing device; receiving, with the TEE         from the first computing device, at least one first proof of         publication associated with the at least one first encrypted         output being posted to at least one blockchain accessible by the         at least one other computing device; and in response to         receiving the at least one first proof of publication from the         first computing device, communicating, with the TEE, the first         function output of the n-party computation to the first         computing device.     -   Clause 7: The computer-implemented method of clause 6, further         comprising: receiving, with the TEE, a witness of a witness         encryption scheme from the first computing device; generating,         with the TEE, a second function output based on the first input,         the at least one second input, and the witness; encrypting, with         the TEE, the second function output using the at least one         public key to produce at least one second encrypted output;         communicating, with the TEE, the at least one second encrypted         output to the first computing device; receiving, with the TEE         from the first computing device, at least one second proof of         publication associated with the at least one second encrypted         output being posted to the at least one blockchain; and, in         response to receiving the at least one second proof of         publication from the first computing device, communicating, with         the TEE, the second function output to the first computing         device.     -   Clause 8: The computer-implemented method of clause 6 or clause         7, further comprising: receiving, with the TEE from the at least         one other computing device, the at least one first proof of         publication; and, in response to receiving the at least one         first proof of publication from the at least one other computing         device, communicating, with the TEE, the first function output         of the n-party computation to the at least one other computing         device.     -   Clause 9: The computer-implemented method of any of clauses 6-8,         further comprising: receiving, with the TEE from the at least         one other computing device, the at least one second proof of         publication; and, in response to receiving the at least one         second proof of publication from the at least one other         computing device, communicating, with the TEE, the second         function output to the at least one other computing device.     -   Clause 10: The computer-implemented method of any of clauses         6-9, wherein the first function output comprises a signature of         a data object generated based on the first input and the at         least one second input, wherein the first input comprises a         first signature key associated with the first computing device         and the at least one second input comprises at least one second         signature key associated with the at least one other computing         device.     -   Clause 11: The computer-implemented method of any of clauses         6-10, wherein the TEE is configured to communicate with the         first computing device in a first secure communication channel,         in which only the first computing device is permitted to read         communications from the TEE to the first computing device.     -   Clause 12: The computer-implemented method of any of clauses         6-11, wherein the TEE is configured to communicate with the at         least one other computing device in at least one other secure         communication channel, in which only the at least one other         computing device is permitted to read communications from the         TEE to the at least one other computing device.     -   Clause 13: A system comprising a server including at least one         processor operating a trusted execution environment (TEE), the         at least one processor programmed and/or configured to: receive         a first input from a first computing device and at least one         second input from at least one other computing device; generate         a first function output of an n-party computation based on the         first input and the at least one second input; encrypt the first         function output of the n-party computation using at least one         public key of the at least one other computing device to produce         at least one first encrypted output; communicate the at least         one first encrypted output to the first computing device;         receive, from the first computing device, at least one first         proof of publication associated with the at least one first         encrypted output being posted to at least one blockchain         accessible by the at least one other computing device; and, in         response to receiving the at least one first proof of         publication from the first computing device, communicate the         first function output of the n-party computation to the first         computing device.     -   Clause 14: The system of clause 13, wherein the at least one         processor is further programmed and/or configured to: receive a         witness of a witness encryption scheme from the first computing         device; generate a second function output based on the first         input, the at least one second input, and the witness; encrypt         the second function output using the at least one public key to         produce at least one second encrypted output; communicate the at         least one second encrypted output to the first computing device;         receive, from the first computing device, at least one second         proof of publication associated with the at least one second         encrypted output being posted to the at least one blockchain;         and, in response to receiving the at least one second proof of         publication from the first computing device, communicate the         second function output to the first computing device.     -   Clause 15: The system of clause 13 or clause 14, further         comprising the first computing device, wherein the first         computing device and the at least one other computing device are         permissioned by a consortium to access the at least one         blockchain, wherein the first computing device is configured         with at least read access and write access to the at least one         blockchain, and the second computing device is configured with         at least read access to the at least one blockchain.     -   Clause 16: The system of any of clauses 13-15, wherein the at         least one processor is further programmed and/or configured to:         receive, from the at least one other computing device, the at         least one first proof of publication; and, in response to         receiving the at least one first proof of publication from the         at least one other computing device, communicate the first         function output of the n-party computation to the at least one         other computing device.     -   Clause 17: The system of any of clauses 13-16, wherein the at         least one processor is further programmed and/or configured to:         receive, from the at least one other computing device, the at         least one second proof of publication; and, in response to         receiving the at least one second proof of publication from the         at least one other computing device, communicate the second         function output to the at least one other computing device.     -   Clause 18: The system of any of clauses 13-17, wherein the first         function output comprises a signature of a data object generated         based on the first input and the at least one second input,         wherein the first input comprises a first signature key         associated with the first computing device and the at least one         second input comprises at least one second signature key         associated with the at least one other computing device.     -   Clause 19: The system of any of clauses 13-18, wherein the         server is configured to communicate with the first computing         device in a first secure communication channel, in which only         the first computing device is permitted to read communications         from the server to the first computing device.     -   Clause 20: The system of any of clauses 13-19, wherein the         server is configured to communicate with the at least one other         computing device in at least one other secure communication         channel, in which only the at least one other computing device         is permitted to read communications from the server to the at         least one other computing device.     -   Clause 21: A computer program product comprising a         non-transitory computer-readable medium storing program         instructions configured to cause at least one processor to         perform the method of any of clauses 1-12.

These and other features and characteristics of the present disclosure, as well as the methods of operation and functions of the related elements of structures and the combination of parts and economies of manufacture, will become more apparent upon consideration of the following description and the appended claims with reference to the accompanying drawings, all of which form a part of this specification, wherein like reference numerals designate corresponding parts in the various figures. It is to be expressly understood, however, that the drawings are for the purpose of illustration and description only and are not intended as a definition of the limits of the present disclosure. As used in the specification and the claims, the singular form of “a,” “an,” and “the” include plural referents unless the context clearly dictates otherwise.

BRIEF DESCRIPTION OF THE DRAWINGS

Additional advantages and details of the disclosure are explained in greater detail below with reference to the exemplary embodiments or aspects that are illustrated in the accompanying schematic figures, in which:

FIG. 1 is a diagram of a non-limiting embodiment or aspect of an environment in which systems, apparatuses, and/or methods, as described herein, may be implemented;

FIG. 2 is a flowchart illustrating a non-limiting embodiment or aspect of a method for secure n-party computation according to the principles of the present disclosure;

FIG. 3 is a flowchart illustrating a non-limiting embodiment or aspect of a method for secure n-party computation according to the principles of the present disclosure;

FIG. 4 is a flowchart illustrating a non-limiting embodiment or aspect of a method for secure n-party computation according to the principles of the present disclosure; and

FIG. 5 is a diagram of a non-limiting embodiment or aspect of components of one or more devices of FIG. 1 .

DETAILED DESCRIPTION

For purposes of the description hereinafter, the terms “upper”, “lower”, “right”, “left”, “vertical”, “horizontal”, “top”, “bottom”, “lateral”, “longitudinal,” and derivatives thereof shall relate to non-limiting embodiments or aspects as they are oriented in the drawing figures. However, it is to be understood that non-limiting embodiments or aspects may assume various alternative variations and step sequences, except where expressly specified to the contrary. It is also to be understood that the specific devices and processes illustrated in the attached drawings, and described in the following specification, are simply exemplary embodiments or aspects. Hence, specific dimensions and other physical characteristics related to the embodiments or aspects disclosed herein are not to be considered as limiting.

No aspect, component, element, structure, act, step, function, instruction, and/or the like used herein should be construed as critical or essential unless explicitly described as such. Also, as used herein, the articles “a” and “an” are intended to include one or more items and may be used interchangeably with “one or more” and “at least one.” Furthermore, as used herein, the term “set” is intended to include one or more items (e.g., related items, unrelated items, a combination of related and unrelated items, etc.) and may be used interchangeably with “one or more” or “at least one.” Where only one item is intended, the term “one” or similar language is used. Also, as used herein, the terms “has,” “have,” “having,” or the like are intended to be open-ended terms. Further, the phrase “based on” is intended to mean “based at least partially on” unless explicitly stated otherwise.

Some non-limiting embodiments or aspects are described herein in connection with thresholds. As used herein, satisfying a threshold may refer to a value being greater than the threshold, more than the threshold, higher than the threshold, greater than or equal to the threshold, less than the threshold, fewer than the threshold, lower than the threshold, less than or equal to the threshold, equal to the threshold, and/or the like.

As used herein, the terms “communication” and “communicate” may refer to the reception, receipt, transmission, transfer, provision, and/or the like, of information (e.g., data, signals, messages, instructions, commands, and/or the like). For one unit (e.g., a device, a system, a component of a device or system, combinations thereof, and/or the like) to be in communication with another unit means that the one unit is able to directly or indirectly receive information from and/or transmit information to the other unit. This may refer to a direct or indirect connection (e.g., a direct communication connection, an indirect communication connection, and/or the like) that is wired and/or wireless in nature. Additionally, two units may be in communication with each other even though the information transmitted may be modified, processed, relayed, and/or routed between the first and second unit. For example, a first unit may be in communication with a second unit even though the first unit passively receives information and does not actively transmit information to the second unit. As another example, a first unit may be in communication with a second unit if at least one intermediary unit (e.g., a third unit located between the first unit and the second unit) processes information received from the first unit and communicates the processed information to the second unit. In some non-limiting embodiments or aspects, a message may refer to a network packet (e.g., a data packet, and/or the like) that includes data. Any known electronic communication protocols and/or algorithms may be used such as, for example, TCP/IP (including HTTP and other protocols), WLAN (including 802.11 and other radio frequency-based protocols and methods), analog transmissions, cellular networks (e.g., Global System for Mobile Communications (GSM), Code Division Multiple Access (CDMA), Long-Term Evolution (LTE), Worldwide Interoperability for Microwave Access (WiMAX), etc.), and/or the like. It will be appreciated that numerous other arrangements are possible.

As used herein, the term “mobile device” may refer to one or more portable electronic devices configured to communicate with one or more networks. As an example, a mobile device may include a cellular phone (e.g., a smartphone or standard cellular phone), a portable computer (e.g., a tablet computer, a laptop computer, etc.), a wearable device (e.g., a watch, pair of glasses, lens, clothing, and/or the like), a personal digital assistant (PDA), and/or other like devices. The term “client device,” as used herein, refers to any electronic device that is configured to communicate with one or more servers or remote devices and/or systems. A client device may include a mobile device, a network-enabled appliance (e.g., a network-enabled television, refrigerator, thermostat, and/or the like), a computer, and/or any other device or system capable of communicating with a network.

As used herein, the term “computing device” may refer to one or more electronic devices that are configured to directly or indirectly communicate with or over one or more networks. A computing device may be a mobile or portable computing device, a desktop computer, a server, and/or the like. Furthermore, the term “computer” may refer to any computing device that includes the necessary components to receive, process, and output data, and normally includes a display, a processor, a memory, an input device, and a network interface. A “computing system” may include one or more computing devices or computers. An “application” or “application program interface” (API) refers to computer code or other data sorted on a computer-readable medium that may be executed by a processor to facilitate the interaction between software components, such as a client-side front-end and/or server-side back-end for receiving data from the client. An “interface” refers to a generated display, such as one or more graphical user interfaces (GUIs) with which a user may interact, either directly or indirectly (e.g., through a keyboard, mouse, touchscreen, etc.). Further, multiple computers, e.g., servers, or other computerized devices directly or indirectly communicating in the network environment may constitute a “system” or a “computing system.”

As used herein, the term “server” or “server computer” may refer to or include one or more processors or computers, storage devices, or similar computer arrangements that are operated by or facilitate communication and processing for multiple parties in a network environment, such as the Internet, although it will be appreciated that communication may be facilitated over one or more public or private network environments and that various other arrangements are possible. Further, multiple computers, e.g., servers, or other computerized devices directly or indirectly communicating in the network environment may constitute a “system.” Reference to “a server” or “a processor,” as used herein, may refer to a previously-recited server and/or processor that is recited as performing a previous step or function, a different server and/or processor, and/or a combination of servers and/or processors. For example, as used in the specification and the claims, a first server and/or a first processor that is recited as performing a first step or function may refer to the same or different server and/or a processor recited as performing a second step or function.

As used herein, the term “computation” may refer to an exchange between two parties where input from both parties is required for both parties to determine an output. A computation may be an exchange where two parties are required to securely sign a document or data object. Secure multi-party computation is a subfield of cryptography, e.g., with a goal of creating methods for parties to jointly compute a function over their inputs while keeping those inputs private.

As used herein, the term “witness” may be taken from the context of “witness encryption.” A witness encryption scheme may be defined for a nondeterministic polynomial time (NP) language with a corresponding witness relation R. In a witness encryption scheme, a user may encrypt a message M to a particular problem instance x to produce a ciphertext. A recipient of a ciphertext may be able to decrypt the message if x is in the language and the recipient knows a witness w where R(x,w) holds. However, if x is not in the language, then no polynomial-time attacker may distinguish between encryptions of any two equal length messages.

As used herein, the term “function output” may refer to the output of a computation. For example, a function output may include an output of an n-party joint computation given a set of inputs from the n parties.

As used herein, the term “trusted execution environment” (TEE) may refer to a secure area inside a main processor that runs parallel to an operating system in an isolated environment. For example, a TEE may guarantee that the code and data loaded into the TEE are protected with respect to confidentiality and integrity. A TEE may also attest to the correct execution of a program to a remote party.

As used herein, the term “consortium” may refer to a system, including one or more computing devices (e.g., servers and/or the like), that has a set of permissioned computing devices (e.g., a controlled user group) that may have varying levels of access to components of the system. The consortium may include and control access to, e.g., a blockchain.

As used herein, the terms “issuer institution,” “portable financial device issuer,” “issuer,” or “issuer bank” may refer to one or more entities that provide accounts to customers for conducting transactions (e.g., payment transactions), such as initiating credit and/or debit payments. For example, an issuer institution may provide an account identifier, such as a primary account number (PAN), to a customer that uniquely identifies one or more accounts associated with that customer. The account identifier may be embodied on a portable financial device, such as a physical financial instrument, e.g., a payment card, and/or may be electronic and used for electronic payments. The terms “issuer institution” and “issuer institution system” may also refer to one or more computer systems operated by or on behalf of an issuer institution, such as a server computer executing one or more software applications. For example, an issuer institution system may include one or more authorization servers for authorizing a transaction.

As used herein, the term “account identifier” may include one or more types of identifiers associated with a user account (e.g., a PAN, a card number, a payment card number, a payment token, and/or the like). In some non-limiting embodiments or aspects, an issuer institution may provide an account identifier (e.g., a PAN, a payment token, and/or the like) to a user that uniquely identifies one or more accounts associated with that user. The account identifier may be embodied on a physical financial instrument (e.g., a portable financial instrument, a payment card, a credit card, a debit card, and/or the like) and/or may be electronic information communicated to the user that the user may use for electronic payments. In some non-limiting embodiments or aspects, the account identifier may be an original account identifier, where the original account identifier was provided to a user at the creation of the account associated with the account identifier. In some non-limiting embodiments or aspects, the account identifier may be an account identifier (e.g., a supplemental account identifier) that is provided to a user after the original account identifier was provided to the user. For example, if the original account identifier is forgotten, stolen, and/or the like, a supplemental account identifier may be provided to the user. In some non-limiting embodiments or aspects, an account identifier may be directly or indirectly associated with an issuer institution such that an account identifier may be a payment token that maps to a PAN or other type of identifier. Account identifiers may be alphanumeric, any combination of characters and/or symbols, and/or the like. An issuer institution may be associated with a bank identification number (BIN) that uniquely identifies the issuer institution.

As used herein, the term “merchant” may refer to one or more entities (e.g., operators of retail businesses that provide goods and/or services, and/or access to goods and/or services, to a user (e.g., a customer, a consumer, a customer of the merchant, and/or the like) based on a transaction (e.g., a payment transaction)). As used herein, the term “merchant system” may refer to one or more computer systems operated by or on behalf of a merchant, such as a server computer executing one or more software applications. As used herein, the term “product” may refer to one or more goods and/or services offered by a merchant.

As used herein, the term “point-of-sale (POS) device” may refer to one or more devices, which may be used by a merchant to initiate transactions (e.g., a payment transaction), engage in transactions, and/or process transactions. For example, a POS device may include one or more computers, peripheral devices, card readers, near-field communication (NFC) receivers, radio frequency identification (RFID) receivers, and/or other contactless transceivers or receivers, contact-based receivers, payment terminals, computers, servers, input devices, and/or the like.

As used herein, the term “point-of-sale (POS) system” may refer to one or more computers and/or peripheral devices used by a merchant to conduct a transaction. For example, a POS system may include one or more POS devices and/or other like devices that may be used to conduct a payment transaction. A POS system (e.g., a merchant POS system) may also include one or more server computers programmed or configured to process online payment transactions through webpages, mobile applications, and/or the like.

As used herein, the term “transaction service provider” may refer to an entity that receives transaction authorization requests from merchants or other entities and provides guarantees of payment, in some cases through an agreement between the transaction service provider and the issuer institution. In some non-limiting embodiments or aspects, a transaction service provider may include a credit card company, a debit card company, and/or the like. As used herein, the term “transaction service provider system” may also refer to one or more computer systems operated by or on behalf of a transaction service provider, such as a transaction processing server executing one or more software applications. A transaction processing server may include one or more processors and, in some non-limiting embodiments or aspects, may be operated by or on behalf of a transaction service provider.

As used herein, the term “acquirer” may refer to an entity licensed by the transaction service provider and approved by the transaction service provider to originate transactions (e.g., payment transactions) using a portable financial device associated with the transaction service provider. As used herein, the term “acquirer system” may also refer to one or more computer systems, computer devices, and/or the like operated by or on behalf of an acquirer. The transactions may include payment transactions (e.g., purchases, original credit transactions (OCTs), account funding transactions (AFTs), and/or the like). In some non-limiting embodiments or aspects, the acquirer may be authorized by the transaction service provider to assign merchant or service providers to originate transactions using a portable financial device of the transaction service provider. The acquirer may contract with payment facilitators to enable the payment facilitators to sponsor merchants. The acquirer may monitor compliance of the payment facilitators in accordance with regulations of the transaction service provider. The acquirer may conduct due diligence of the payment facilitators and ensure that proper due diligence occurs before signing a sponsored merchant. The acquirer may be liable for all transaction service provider programs that the acquirer operates or sponsors. The acquirer may be responsible for the acts of the acquirer's payment facilitators, merchants that are sponsored by an acquirer's payment facilitators, and/or the like. In some non-limiting embodiments or aspects, an acquirer may be a financial institution, such as a bank.

As used herein, the terms “electronic wallet,” “electronic wallet mobile application,” and “digital wallet” may refer to one or more electronic devices and/or one or more software applications configured to initiate and/or conduct transactions (e.g., payment transactions, electronic payment transactions, and/or the like). For example, an electronic wallet may include a user device (e.g., a mobile device) executing an application program and server-side software and/or databases for maintaining and providing transaction data to the user device. As used herein, the term “electronic wallet provider” may include an entity that provides and/or maintains an electronic wallet and/or an electronic wallet mobile application for a user (e.g., a customer). Examples of an electronic wallet provider include, but are not limited to, Google Pay®, Android Pay®, Apple Pay®, and Samsung Pay®. In some non-limiting examples, a financial institution (e.g., an issuer institution) may be an electronic wallet provider. As used herein, the term “electronic wallet provider system” may refer to one or more computer systems, computer devices, servers, groups of servers, and/or the like operated by or on behalf of an electronic wallet provider.

As used herein, the term “portable financial device” may refer to a payment card (e.g., a credit or debit card), a gift card, a smartcard, smart media, a payroll card, a healthcare card, a wrist band, a machine-readable medium containing account information, a keychain device or fob, an RFID transponder, a retailer discount or loyalty card, a cellular phone, an electronic wallet mobile application, a personal digital assistant (PDA), a pager, a security card, a computer, an access card, a wireless terminal, a transponder, and/or the like. In some non-limiting embodiments or aspects, the portable financial device may include volatile or non-volatile memory to store information (e.g., an account identifier, a name of the account holder, and/or the like).

As used herein, the term “payment gateway” may refer to an entity and/or a payment processing system operated by or on behalf of such an entity (e.g., a merchant service provider, a payment service provider, a payment facilitator, a payment facilitator that contracts with an acquirer, a payment aggregator, and/or the like), which provides payment services (e.g., transaction service provider payment services, payment processing services, and/or the like) to one or more merchants. The payment services may be associated with the use of portable financial devices managed by a transaction service provider. As used herein, the term “payment gateway system” may refer to one or more computer systems, computer devices, servers, groups of servers, and/or the like operated by or on behalf of a payment gateway and/or to a payment gateway itself. As used herein, the term “payment gateway mobile application” may refer to one or more electronic devices and/or one or more software applications configured to provide payment services for transactions (e.g., payment transactions, electronic payment transactions, and/or the like).

Non-limiting embodiments or aspects of the present disclosure are directed to a system, method, and computer program product for secure n-party computation. It will be appreciated that described systems and methods for 2-party exchange may be expanded to n-party computations, where n>1. Described embodiments and aspects provide improved technical solutions by providing an architecture for secure, fairness-assured joint computation. The described systems and methods provide fair secure computation in the (multi-)blockchain setting. Additionally, no third party intermediary computing devices need to be involved to assure fairness, reducing communication time associated with outside transmissions and decreasing the number of party resources (e.g., processing capacity) involved. Furthermore, the described systems and methods remove the possibility of a third party intermediary computing device colluding with one of the parties, thereby threatening security and fairness. In the presently described methods, a corrupt party may not receive the final output without the assurance that other participating parties also have access to joint computation.

In some non-limiting embodiments or aspects, systems and methods described herein may provide fair protocols for fair secure computation in the multi-blockchain setting. For example, in an n-party setting where t parties are corrupt (e.g., where t<n), the described protocols for fair secure computation will work where: (i) t parties have access to a trusted execution environment (TEE) and (ii) each of the t parties have read access and/or write access to a blockchain with each of the other parties. Furthermore, only these t parties need write access to said blockchains.

In some non-limiting embodiments or aspects, systems and methods described herein may make use of a synchronizable fair exchange (F_(s) _(y) _(x)), including in the (

_(att),

_(BB),

_(acrs))-hybrid model, where (i)

_(att) is a global ideal functionality that captures attested executions, (ii)

_(BB) is the ideal blockchain functionality, and in particular provides an interface for obtaining proof of publication, and (iii)

_(acrs) is the global ideal functionality for an augmented common reference string. For example, some non-limiting embodiments or aspects described herein may provide a variant of F_(s) _(y) _(x) where only one party has the ability to trigger F_(s) _(y) _(x). This may allow a pair of parties to reuse a single a priori loaded instance of F_(s) _(y) _(x) (with one-sided trigger) in any number of multiparty protocols (possibly involving different sets of parties) thereby minimizing the use of blockchain.

In some non-limiting embodiments or aspects, secure multiparty computation (MPC) may allow a set of mutually distrusting parties to perform a joint computation on their inputs that reveals only the final output and nothing else. Such secure computation may be an important technical solution that may enable new business applications resulting from secure data sharing. In some non-limiting embodiments or aspects, systems and methods described herein may provide for solutions where not all parties may have read/write access on a single common blockchain. For example, there may exist multiple consortiums including separate blockchains having overlapping memberships. Since membership in a consortium may cost significant fees, members of a consortium C₁ may be restricted from performing read/write operations on the blockchain of consortium C₂ if they are not members of C₂. Without any visibility into the blockchain of C₂, members of C₁ may not trust C₂ to carry out a reliable blockchain read/write. While members within C₂ may trust that the associated blockchain B₂ is maintained properly, there is no reason for P₁, a member of C₁ but not C₂, to trust that this is the case.

In view of the foregoing, there are circumstances under which P₁∈C₁/C₂ may accept a proof of publication on B₂. A proof of publication in a permissioned blockchain with m participants may be t+1 signatures from participating parties, where t<m/3 (or t<m/2) may be a threshold for a distributed consensus protocol that is used to maintain the permissioned blockchain. For P₁ to trust a proof of publication, P₁ may trust that there are, at most, t colluding parties in C₂. Since P₁ may not have control over membership constraints in C₂, P₁ may not find such a trust assumption reasonable. Similar issues may also apply to other consensus methods (e.g., proof of work, proof of stake). P₁ may not be able to obtain a (valid) proof of publication on B₂ which is otherwise accessible to every member of C₂.

In some non-limiting embodiments or aspects, in a single blockchain setting, parties P₁, P₂, and P₃ may each possess a TEE and each have access to a single blockchain B. T_(j) may represent the TEE hosted by P_(j). P_(i) may have a secure channel established with T_(j), such that P_(j) may not read messages sent by P_(i). In the first step, each T_(i) may send a corresponding host input to T_(j), following which T_(j) may compute the function output on the provided inputs. However, T_(j) may not yet release the outputs to host P_(j) as there may be some T_(j) that has not received all inputs. To ensure that all TEEs received the inputs, (i) each T_(j) may post a token on the blockchain indicating that all inputs were received, (ii) each T_(j) may receive from a corresponding host P_(j) all three tokens from T₁, T₂, T₃ with respective proofs of publication on B, and (iii) then, the T_(j) may release the function output to P_(j).

If some T_(j) releases the function output to P_(j), then all three tokens may have been recorded on B, thereby making the above protocol fair. For example, an assumption may be that the proof of publication π_(v) of posting a value v is unforgeable. Additionally or alternatively, it may be computationally infeasible for a party to compute π_(v) without posting von the blockchain. This in turn may imply that every T_(i) obtained inputs from all participants. Furthermore, since all three tokens may be recorded on B, they may be available to T_(i) (through P_(i)), following which T_(i) will release the final output to P_(i).

In some non-limiting embodiments or aspects, in a multi-blockchain setting, for example, there may be three consortiums C_({1,2}),C_({2,3}),C_({1,3}) such that P_(i),P_(j)∈C_({i,j}) for k∉{i,j}. C_({i,j}) may maintain blockchain B_({i,j}). A party P_(k) for k∉{i,j} may not share the trust assumptions on C_({i,j}) as P_(i) and P_(j), and consequently may not trust proofs of publication on B_({i,j}). Alternatively, P_(k) may not have read access to proofs on B_({i,j}), and consequently will not get the output. Therefore, a protocol which relies on read/write on a single blockchain, e.g., B_({i,j}), may not work.

For the purpose of illustration and not limitation, consider a setting with three permissioned consortiums, C₁,C₂,C₃, where C_(i) has m_(i) members and members of C_(i) assume a corruption threshold t_(i)<m_(i)/10 within C_(i). In some non-limiting embodiments or aspects, systems and methods described herein may provide a technical solution when there is a centralized adversary

that controls and coordinates all the corrupt parties across consortiums, such as when

corrupts a subset A_(i) in C_(i) with |A_(i)|>t_(i) within a consortium, or

corrupts all members within a consortium.

In some non-limiting embodiments or aspects, systems and methods described herein may make use of synchronizable fair exchange (F_(s) _(y) _(x)). In said synchronizable fair exchange, F_(s) _(y) _(x) may include a 2-party primitive that is reactive and/or may work in two phases, e.g., called “load” and “trigger.” In the load phase, parties may submit private inputs x₁,x₂ along with public inputs (f₁,f₂,ϕ₁,ϕ₂), where f₁,f₂ are 2-output functions, and ϕ₁,ϕ₂ are Boolean predicates. Upon receiving these inputs, F_(s) _(y) _(x) may compute f₁(x₁,x₂) and/or deliver the respective outputs to both parties. Next, in the trigger phase, which may be initiated at any later time after the load phase, party P_(i) may send a “witness” w_(i) to

_(s) _(y) _(x) following which F_(s) _(y) _(x) checks if ϕ_(i)(w_(i))=1. If that is indeed the case, then

_(s) _(y) _(x) may compute f₂(x₁,x₂, w_(i)) and may deliver the respective outputs along with w_(i) to both parties in a fair manner.

In some non-limiting embodiments or aspects, systems and methods described herein may use synchronizable fair exchange (F_(s) _(y) _(x)) with a one-sided trigger, in non-limiting embodiments or aspects.

_(s) _(y) _(x) may be restricted by giving only one designated party, e.g., P_(i), the ability to trigger F_(s) _(y) _(x). This may be done by setting ϕ_(j)=0, thereby ensuring that P_(j) may never trigger

_(s) _(y) _(x). P_(i) may still need to provide a valid witness that satisfies ϕ_(i). F_(s) _(y) _(x) with a one-sided trigger may be implemented in described systems and methods when only P_(i) possess a TEE.

For the purpose of illustration and not limitation, consider a F_(s) _(y) _(x) system with one-sided trigger and two parties P_(i),P_(j). Both parties may have access to a blockchain B, but only P_(i) may possess a TEE (T_(i)). First, P_(i) and P_(j) may supply their inputs to T_(i). T_(i) may compute y₁=f₁(x₁,x₂) and may output e₁=Enc(pk_(j),y₁) where pk_(j) is the public key of P_(j) and Enc(a,b) is an encryption function that encrypts input b using an input key of a. Following this, P_(i) may post e₁ on the blockchain B and/or obtain the corresponding proof of publication π₁. Then P_(i) may feeds π₁ to T_(i), which then may release the output y₁ to P_(i). In some non-limiting embodiments or aspects, P_(j) may recover y₁ by reading blockchain B and decrypting e₁ with secret key sk_(j) of P_(j). For the trigger phase, suppose P_(i) has a valid witness w_(i). Then P_(i) may feed w_(i) to T_(i), which may verify if ϕ(w_(i))=1, and if so, may compute y₂=f₂(x₁,x₂,w_(i)) and may output e₂=Enc(pk_(j),w_(i)∥y₂) to P_(i). As before, P_(i) may post e₂ on blockchain B, get the proof of publication π₂, and/or feed π₂ to T_(i), which may output y₂ to P_(i). P_(j) may read e₂ from blockchain B and decrypt e₂ to get w_(i) and y₂.

In the above illustration, the trigger phase may be initiated only by P_(i), since only T_(i) may compute f2(x₁,x₂,w_(i)). It will be appreciated that the outputs of both f₁ and f₂ may be delivered to both parties in a fair manner. In particular, P₁ may not obtain the output of f₁ or f₂ without posting e₁ or e₂, respectively, on the blockchain. This may be because T_(i) may reveal y₁=f₁(x₁,x₂) and y₂=f₂(x₁,x₂,w_(i)) only after obtaining π₁ and π₂, respectively, from the blockchain. This, in turn, may ensure that e₁ and e₂ were posted on the blockchain and are available for P_(j) to decrypt and obtain y₁ and y₂, respectively. In some non-limiting embodiments or aspects, P_(i) may prevent the evaluation of f₁ or f₂, but as described herein, if P_(i) indeed obtains the outputs of f₁ or f₂, then P_(j) may obtain the output as well. Additionally or alternatively, the load phase may be completed, but P_(i) (e.g., a corrupt actor) may not trigger even if instructed by the higher level protocol. Additionally or alternatively, an honest P₁'s trigger may result in P_(i) learning the output, and, in particular, there may be no way a corrupt P_(j) may prevent P_(i) from learning the output of f₁ or f₂.

In some non-limiting embodiments or aspects, F_(s) _(y) _(x) may be implemented where either party may trigger. For the purpose of illustration and not limitation, assume that both parties P_(i),P_(j) possess a TEE (T_(i),T_(j), respectively). Further, assume that T_(i) and T_(j) share a symmetric key ek. P_(i) and P_(j) may supply their inputs to T_(i) and T_(j). Then, T_(i) and T_(j) each may post a token on the blockchain indicating that each party has received the inputs. The TEEs may not proceed with the load phase unless they receive two proofs of publication of both tokens from the blockchain. Given these proofs, both T_(i) and T_(j) locally may output (respectively to P_(i) and P_(j)) the value f₁(x₁,x₂), and terminate the load phase. In this example, either party may trigger. The following description may account for P_(i) initiating the trigger phase, but it will be appreciated that the actions for P_(j) may be analogously the same.

When P_(i) wishes to trigger, P_(i) may provide a witness w_(i) to T_(i), following which T_(i) may check if ϕ_(i)(w_(i))=1 and may output e=Enc(ek,w_(i)∥f₂(x₁,x₂,w_(i))) to P_(i). P_(i) then may post e on the blockchain to obtain a proof of publication π, which P_(i) then may send to T_(i). Upon receiving the proof π, T_(i) may output f₂(x₁,x₂,w_(i)) to P_(i) and/or terminate the trigger phase. Upon seeing the token e on the blockchain, P_(j) may send e,π to T_(j), which then may check if π is a valid proof of publication, decrypt e using ek to obtain w_(i),f₂(x₁,x₂,w_(i)), check if ϕ_(i)(w_(i))=1, and output f₂(x₁,x₂,w_(i)) to P_(j).

In some non-limiting embodiments or aspects, the outputs of f1 and f2 may be delivered to both parties in a fair manner. For example, P_(i) may not obtain the output of f₁ unless tokens from both T_(i),T_(j) indicating that they received the inputs are recorded on the blockchain. When these tokens are recorded on the blockchain, there may be no way for P_(i) to prevent P_(j) from reading these tokens and/or submitting the tokens along with proofs to T_(j), which may result in P_(j) obtaining the output of f₁. If P_(i) obtains the output of f₂, such as by providing the trigger witness w_(i), then P_(i) may have no way of preventing P_(j) from learning the output of f₂. This may be because P_(i) may need to provide proof π that e was posted on the blockchain. Since it may be infeasible for P_(i) to obtain this proof without posting e on the blockchain, it may follow that e may be read by P_(j), following which P_(j) may feed e to T_(j) and obtain the final output. The triggering party may obtain the output if the triggering party behaves honestly, e.g., if P_(i) initiates the trigger phase, and/or there may be no way for a corrupt P_(j) to prevent P_(i) from learning the output of f₂.

In some non-limiting embodiments or aspects, to construct fair protocols in the multiblockchain setting, the following transformations may be applied: for every pair of parties P_(i),P_(j), an

_(s) _(y) _(x) instance may be added between them, if (i) at least one of P_(i),P_(j) possesses a TEE, and if (ii) P_(i) and P_(j) are on some common blockchain. An

_(s) _(y) _(x) instance between P_(i) and P_(j) may be one-sided if exactly one of P_(i),P_(j) possesses a TEE.

In some non-limiting embodiments or aspects, the above transformation may abstract away both TEEs and blockchains, which may provide a setting with n parties, some of which may be connected by

_(s) _(y) _(x) instances. This setting may be represented with an “

_(s) _(y) _(x)-diagraph” G, where the vertices may represent the n parties and edges may represent

_(s) _(y) _(x) instances. If t parties possess a TEE, then G may consist of O(nt+t²) edges. Specifically, there may be a directed edge between i and j in G if (i) P_(i) possesses a TEE, and if (ii) P_(i) and P_(j) share a common blockchain. In some non-limiting embodiments or aspects, systems and methods described herein may provide a fair protocol when G is not a complete diagraph.

In some non-limiting embodiments or aspects, fair secure computation may include fair reconstruction of a secret-sharing scheme. For example, the parties may run an (unfair) MPC protocol for a function f that may compute the function output y, then may compute secret shares of the function output {y_(i)}_(i∈[n]), and then may compute commitments (e.g., of a commitment scheme) on these secret shares. The commitments may be denoted by c=(c₁, . . . ,c_(n)). Additionally or alternatively, the MPC protocol may output to party P_(i) the values y_(i), c. If an honest party does not obtain the output from the (unfair) MPC protocol, then all parties may terminate, and no one may obtain the final output y. In some non-limiting embodiments or aspects, to get a fair evaluation of f, either all parties may learn all the commitment openings or none of the parties may learn all the openings, e.g., in which an opening includes a message used in a reveal phase of a commitment scheme. In some non-limiting embodiments or aspects, the

_(s) _(y) _(x) instances may be used to achieve fair reconstruction of y. For example, assume that P₁, . . . ,P_(t) possess a TEE and P_(t+1), . . . ,P_(n) do not. Therefore, when i≤t, (i,j)∈G for all j∈[n], and these may be the only edges in G. For the purpose of illustration and not limitation, an

_(s) _(y) _(x) instance may be associated with (i,j)∈G with t and i<j. This instance may be set up such that (i) the instance may be triggered only in round j+1; (ii) the predicate ϕ_(i) associated with this instance may check for valid openings of c₁, . . . ,c_(j−1); and (iii) upon trigger, the value y_(j) may be released to both parties. To reconstruct y, in round j+1 for 2≤j≤n, each party i (with t≤t and i<j) may trigger (if possible) the

_(s) _(y) _(x) instance associated with (i,j)∈G. Finally, in round n+2, if any honest party obtained all the openings, e.g., the values y₁, . . . ,y_(n), then said party may broadcast all these openings to all parties. In some non-limiting embodiments or aspects, the above steps may provide a fair protocol, e.g., in consideration of corrupt party actions. For example, if a corrupt party learns y at the end of the protocol, all honest parties may learn y too. For example, P_(j) may be honest and for k<j, party P_(k) may be corrupt. To learn y, the corrupt party may learn y_(i) by triggering an

_(s) _(y) _(x) instance associated with j. This consequently may mean that P_(j) may learn all values y₁, . . . y_(j). If j≤t, then for all k>j, in round k+1, party P_(j) may trigger the (j,k)

_(s) _(y) _(x) instance using the functional outputs y₁, . . . ,y_(k−1) to learn y_(k). Then, in round n+2, party P_(j) may broadcast all openings to all honest parties, and therefore all honest parties may obtain the final output.

In some non-limiting embodiments or aspects, if j>t, then P_(n) may be honest since there may be at most t corrupt parties. To obtain y_(n), and consequently the final output y, an adversary

may need some corrupt P_(i) with i≤t to trigger the

_(s) _(y) _(x) instance associated with (i,n)∈G. If P_(i) triggers this

_(s) _(y) _(x) instance, then honest P_(n) may learn the functional outputs y₁, . . . ,y_(n−1), and, therefore, may know all openings. Additionally or alternatively, P_(n) may broadcast these openings in round n+2, which may lead to all honest parties obtaining the final output.

Referring now to FIG. 1 , illustrated is a diagram of an example environment 100 in which devices, systems, and/or methods, described herein, may be implemented. As shown in FIG. 1 , environment 100 may include a first computing device 102, a trusted execution environment (TEE) 104, one or more other computing devices 106, 106 n, a blockchain 108, and a communication network 110. The TEE 104 may be implemented on the same device as the first computing device 102. One or more other blockchains 108 n may be used, which may be accessible by one or more other computing devices 106, 106 n. One or more other TEEs 104 n may be used, for access by a computing device 102, 106, 106 n, according to the steps disclosed herein.

Communication network 110 may include one or more wired and/or wireless networks. For example, communication network 110 may include a cellular network (e.g., a long-term evolution (LTE) network, a third generation (3G) network, a fourth generation (4G) network, a code division multiple access (CDMA) network, and/or the like), a public land mobile network (PLMN), a local area network (LAN), a wide area network (WAN), a metropolitan area network (MAN), a telephone network (e.g., the public switched telephone network (PSTN)), a private network, an ad hoc network, a mesh network, a beacon network, an intranet, the Internet, a fiber optic-based network, a cloud computing network, and/or the like, and/or a combination of these or other types of networks.

The first computing device 102 may be configured to communicate with the TEE 104 in a first secure communication channel 114, in which only the TEE 104 is permitted to read communications from the first computing device 102 to the TEE 104, and in which only the first computing device 102 is permitted to read communications from the TEE 104 to the first computing device 102. The other computing device 106 may be configured to communicate with the TEE 104 in a second secure communication channel 116, in which only the TEE 104 is permitted to read communications from the other computing device 106 to the TEE 104, and in which only the other computing device 106 is permitted to read communications from the TEE 104 to the other computing device 106. A same or similar communication channel to the second secure communication channel 116 may be employed for further other computing devices 106 n. In some non-limiting embodiments or aspects, each computing device 102, 106, 106 n may be associated with a corresponding TEE 104, 104 n.

Environment 100 may include a consortium 112 or one or more other consortiums 112 n, wherein each consortium 112, 112 n may be associated with, and control access to, one or more blockchains 108, 108 n. As illustrated, a consortium 112 may be associated with and/or control access to a blockchain 108, and other consortium 112 n may be associated with, and controls access to, a blockchain 108 n. In some non-limiting embodiments or aspects, the relationship of each consortium 112, 112 n to one or more respective blockchains 108, 108 n may be one-to-many. In some non-limiting embodiments or aspects, the first computing device 102 and one or more other computing devices 106, 106 n may be permissioned by a consortium 112, 112 n to access an associated blockchain 108, 108 n. For example, the first computing device 102 and the one or more other computing devices 106, 106 n may have a same or different permission level relative to access of a blockchain 108, 108 n. The first computing device 102 may be configured (e.g., permissioned by a consortium 112, 112 n) with at least read access and write access to a blockchain 108, 108 n. Other computing devices 106, 106 n may be configured (e.g., permissioned by a consortium 112, 112 n) with at least read access to a blockchain 108, 108 n. Alternatively, other computing devices 106, 106 n may have both read and write access.

The number and arrangement of devices and networks shown in FIG. 1 are provided as an example. There may be additional devices and/or networks, fewer devices and/or networks, different devices and/or networks, or differently arranged devices and/or networks than those shown in FIG. 1 . Furthermore, two or more devices shown in FIG. 1 may be implemented within a single device, or a single device shown in FIG. 1 may be implemented as multiple, distributed devices. Additionally or alternatively, a set of devices (e.g., one or more devices) of environment 100 may perform one or more functions described as being performed by another set of devices of environment 100.

Referring now to FIG. 2 , illustrated is a flowchart of a non-limiting embodiment or aspect of a process 200 for secure n-party computation. In some non-limiting embodiments or aspects, one or more of the steps of process 200 may be performed (e.g., completely, partially, and/or the like) by first computing device 102. In some non- limiting embodiments or aspects, one or more of the steps of process 200 may be performed (e.g., completely, partially, and/or the like) by another system, another device, another group of systems, or another group of devices, separate from or including first computing device 102, a TEE 104, other TEE 104 n, other computing device 106, other computing device 106 n, blockchain 108, other blockchain 108 n, consortium 112, other consortium 112 n, and/or the like. A processor used to perform one step may or may not be the same processor used to perform another step.

In step 202, a first input may be communicated. For example, a first computing device 102 may communicate a first input of an n-party computation to a TEE 104 (e.g., via a first secure communication channel 114 and/or the like).

In step 204, first encrypted outputs may be received. For example, the first computing device 102 may receive, e.g., from the TEE 104, at least one first encrypted output. In some non-limiting embodiments or aspects, the first encrypted output(s) may include a first function output of the n-party computation encrypted with at least one public key of at least one other computing device 106, 106 n. For example, the first function output(s) of the n-party computation may be determined based on the first input from the first computing device 102 and at least one second input from the at least one other computing device 106, 106 n. In some non-limiting embodiments or aspects, in a 2-party computation, a first computing device 102 may receive an encrypted output including the output of the 2-party computation encrypted with a public key of a second computing device 106. Additionally or alternatively, the output of the 2-party computation may be based on the first input of the first computing device 102 and a second input of the second computing device 106. In some non-limiting embodiments or aspects, in a 3-party computation, the first computing device 102 may receive two encrypted outputs including the output of the 3-party computation encrypted with public keys of a second computing device 106 and a third computing device 106 n. Additionally or alternatively, the output of the 3-party computation may be based on the first input, a second input of the second computing device, and a third input of the third computing device.

In step 206, the first encrypted output(s) may be posted to at least one blockchain. For example, the first computing device 102 may post at least one first encrypted output on at least one blockchain 108 accessible by the at least one other computing device 106, 106 n. Additionally or alternatively, other computing device(s) 106, 106 n may access a same blockchain 108, different blockchains 108 n, or a combination thereof.

In step 208, at least one first proof of publication may be received. For example, the first computing device 102 may, in response to (e.g., based on, triggered by, and/or the like) posting the at least one first encrypted output on the at least one blockchain 108, 108 n, receive at least one first proof of publication from the blockchain 108, 108 n.

In step 210, the at least one first proof of publication may be communicated. For example, the first computing device 102 may communicate the at least one first proof of publication to the TEE 104.

In step 212, a first function output (e.g., an output of an n-party computation) may be received. For example, the first computing device 102 may receive a first function output of the n-party computation from the TEE 104.

In step 214, a witness may be communicated. For example, the first computing device 102 may communicate a witness to the TEE 104.

In step 216, at least one second encrypted output may be received. For example, the first computing device 102 may receive at least one second encrypted output from the TEE 104. In some non-limiting embodiments or aspects, the second encrypted output(s) may include a second function output encrypted with the at least one public key of the at least one other computing device 106, 106 n. Additionally or alternatively, the second function output may be determined based on the first input, the at least one second input, and the witness.

In step 218, the at least one second encrypted output may be posted to at least one blockchain. For example, the first computing device 102 may post the at least one second encrypted output on the at least one blockchain 108, 108 n. In some non-limiting embodiments or aspects, the at least one second encrypted output may be decryptable using the at least one private key of the at least one other computing device 106, 106 n, corresponding to the at least one public key, to obtain the second function output.

In step 220, at least one second proof of publication may be received. For example, the first computing device 102 may, in response to (e.g., based on, triggered by, and/or the like) posting the at least one second encrypted output on the at least one blockchain 108, 108 n, receive at least one second proof of publication from the at least one blockchain 108, 108 n.

In step 222, the at least one second proof of publication may be communicated. For example, the first computing device 102 may communicate the at least one second proof of publication to the TEE 104.

In step 224, a function output based on a witness may be received. For example, the first computing device 102 may receive the second function output from the TEE 104.

Referring now to FIG. 3 , illustrated is a flowchart of some non-limiting embodiments or aspects of a process 300 for secure n-party computation. In some non-limiting embodiments or aspects, one or more of the steps of process 300 may be performed (e.g., completely, partially, and/or the like) by a TEE 104. In some non-limiting embodiments or aspects, one or more of the steps of process 300 may be performed (e.g., completely, partially, and/or the like) by another system, another device, another group of systems, or another group of devices, separate from or including TEE 104, such as, first computing device 102, other TEE 104 n, other computing device 106, other computing device 106 n, blockchain 108, other blockchain 108 n, consortium 112, other consortium 112 n, and/or the like. A processor used to perform one step may or may not be the same processor used to perform another step.

In step 302, a first input and at least one second input may be received. For example, the TEE 104 may receive a first input from a first computing device 102 and at least one second input from at least one other computing device 106, 106 n.

In step 304, a first function output may be generated. For example, the TEE 104 may generate a first function output of an n-party computation based on the first input and the at least one second input. In some non-limiting embodiments or aspects, the first function output may be a signature of a data object generated based on the first input and the at least one second input. Additionally or alternatively, the first input may include a first signature key (e.g., private key used for digital signatures) associated with the first computing device 102 and the at least one second input may include at least one second signature key associated with the at least one other computing device 106, 106 n.

In step 306, the first function output may be encrypted. For example, the TEE 104 may encrypt the first function output of the n-party computation using at least one public key of the at least one other computing device 106, 106 n to produce at least one first encrypted output.

In step 308, the at least one first encrypted output may be communicated. For example, TEE 104 may communicate the at least one first encrypted output to the first computing device 102.

In step 310, at least one first proof of publication may be received. For example, the TEE 104 may receive, from the first computing device 102, at least one first proof of publication associated with the at least one first encrypted output being posted to at least one blockchain 108, 108 n accessible by the at least one other computing device 106, 106 n.

In step 312, the first function output may be communicated. For example, the TEE 104 may, in response to (e.g., based on, triggered by, and/or the like) receiving the at least one first proof of publication, communicate the first function output of the n-party computation to the first computing device 102.

In step 314, the witness may be received. For example, the TEE 104 may receive a witness from the first computing device 102.

In step 316, a second function output may be generated. For example, the TEE 104 may generate a second function output based on the first input, the at least one second input, and the witness.

In step 318, the second function output may be encrypted. For example, the TEE 104 may encrypt the second function output using the at least one public key to produce at least one second encrypted output.

In step 320, the at least one second encrypted output may be communicated. For example, the TEE 104 may communicate the at least one second encrypted output to the first computing device 102.

In step 322, at least one second proof of publication may be received. For example the TEE 104 may receive, from the first computing device 102, at least one second proof of publication associated with the at least one second encrypted output being posted to the at least one blockchain 108, 108 n.

In step 324, the second function output may be communicated. For example, the TEE 104 may, in response to (e.g., based on, triggered by, and/or the like) receiving the at least one second proof of publication, communicate the second function output to the first computing device 102.

Referring now to FIG. 4 , illustrated is a flowchart of some non-limiting embodiments or aspects of a process 400 for secure n-party computation. In some non-limiting embodiments or aspects, one or more of the steps of process 400 may be performed (e.g., completely, partially, and/or the like) by a TEE 104. In some non-limiting embodiments or aspects, one or more of the steps of process 400 may be performed (e.g., completely, partially, and/or the like) by another system, another device, another group of systems, or another group of devices, separate from or including TEE 104, such as, first computing device 102, other TEE 104 n, other computing device 106, other computing device 106 n, blockchain 108, other blockchain 108 n, consortium 112, other consortium 112 n, and/or the like. A processor used to perform one step may or may not be the same processor used to perform another step.

In step 410, at least one first proof of publication may be received. For example, the TEE 104 may receive, from at least one other computing device, at least one first proof of publication associated with the at least one first encrypted output being posted to at least one blockchain 108, 108 n accessible by the at least one other computing device 106, 106 n.

In step 412, the first function output may be communicated. For example, the TEE 104 may, in response to (e.g., based on, triggered by, and/or the like) receiving the at least one first proof of publication from the at least one other computing device 106, 106 n, communicate the first function output of the n-party computation to the at least one other computing device 106, 106 n.

In some non-limiting embodiments or aspects, steps 410 and 412 may be executed after a first computing device 102 has posted the encrypted function output to the blockchain 108, 108 n, e.g., after step 308 in FIG. 3 .

In step 422, at least one second proof of publication may be received. For example, the TEE 104 may receive, from at least one other computing device 106, 106 n, at least one second proof of publication associated with the at least one second encrypted output being posted to the at least one blockchain 108, 108 n.

In step 424, the second function output may be communicated. For example, the TEE 104 may, in response to (e.g., based on, triggered by, and/or the like) receiving the at least one second proof of publication from the at least one other computing device 106, 106 n, communicate the second function output to the at least one other computing device.

In some non-limiting embodiments or aspects, steps 422 and 424 may be executed after a first computing device 102 has posted the second encrypted output to the blockchain 108, 108 n, e.g., after step 320 in FIG. 3 .

Referring now to FIG. 5 , illustrated is a diagram of example components of device 500. Device 500 may correspond to one or more devices of first computing device 102, one or more devices of trusted execution environments 104, 104 n, one or more devices of other computing devices 106, 106 n, one or more devices of blockchains 108, 108 n, one or more devices of consortiums 112, 112 n, and/or one or more devices of communication network 110. In some non-limiting embodiments or aspects, one or more devices of the foregoing may include at least one device 500 and/or at least one component of device 500. As shown in FIG. 5 , device 500 may include bus 502, processor 504, memory 506, storage component 508, input component 510, output component 512, and communication interface 514.

Bus 502 may include a component that permits communication among the components of device 500. In some non-limiting embodiments or aspects, processor 504 may be implemented in hardware, software, or a combination of hardware and software. For example, processor 504 may include a processor (e.g., a central processing unit (CPU), a graphics processing unit (GPU), an accelerated processing unit (APU), etc.), a microprocessor, a digital signal processor (DSP), and/or any processing component (e.g., a field-programmable gate array (FPGA), an application-specific integrated circuit (ASIC), etc.) that may be programmed to perform a function. Memory 506 may include random access memory (RAM), read-only memory (ROM), and/or another type of dynamic or static storage device (e.g., flash memory, magnetic memory, optical memory, etc.) that stores information and/or instructions for use by processor 504.

Storage component 508 may store information and/or software related to the operation and use of device 500. For example, storage component 508 may include a hard disk (e.g., a magnetic disk, an optical disk, a magneto-optic disk, a solid state disk, etc.), a compact disc (CD), a digital versatile disc (DVD), a floppy disk, a cartridge, a magnetic tape, and/or another type of computer-readable medium, along with a corresponding drive.

Input component 510 may include a component that permits device 500 to receive information, such as via user input (e.g., a touchscreen display, a keyboard, a keypad, a mouse, a button, a switch, a microphone, a camera, etc.). Additionally or alternatively, input component 510 may include a sensor for sensing information (e.g., a global positioning system (GPS) component, an accelerometer, a gyroscope, an actuator, etc.). Output component 512 may include a component that provides output information from device 500 (e.g., a display, a speaker, one or more light-emitting diodes (LEDs), etc.).

Communication interface 514 may include a transceiver-like component (e.g., a transceiver, a separate receiver and transmitter, etc.) that enables device 500 to communicate with other devices, such as via a wired connection, a wireless connection, or a combination of wired and wireless connections. Communication interface 514 may permit device 500 to receive information from another device and/or provide information to another device. For example, communication interface 514 may include an Ethernet interface, an optical interface, a coaxial interface, an infrared interface, a radio frequency (RF) interface, a universal serial bus (USB) interface, a WiFi® interface, a cellular network interface, and/or the like.

Device 500 may perform one or more processes described herein. Device 500 may perform these processes based on processor 504 executing software instructions stored by a computer-readable medium, such as memory 506 and/or storage component 508. A computer-readable medium (e.g., a non-transitory computer-readable medium) is defined herein as a non-transitory memory device. A non-transitory memory device includes memory space located inside of a single physical storage device or memory space spread across multiple physical storage devices.

Software instructions may be read into memory 506 and/or storage component 508 from another computer-readable medium or from another device via communication interface 514. When executed, software instructions stored in memory 506 and/or storage component 508 may cause processor 504 to perform one or more processes described herein. Additionally or alternatively, hardwired circuitry may be used in place of or in combination with software instructions to perform one or more processes described herein. Thus, embodiments or aspects described herein are not limited to any specific combination of hardware circuitry and software.

Memory 506 and/or storage component 508 may include data storage or one or more data structures (e.g., a database, and/or the like). Device 500 may be capable of receiving information from, storing information in, communicating information to, or searching information stored in the data storage or one or more data structures in memory 506 and/or storage component 508. For example, the information may include encryption data, input data, output data, transaction data, account data, or any combination thereof.

The number and arrangement of components shown in FIG. 5 are provided as an example. In some non-limiting embodiments or aspects, device 500 may include additional components, fewer components, different components, or differently arranged components than those shown in FIG. 5 . Additionally or alternatively, a set of components (e.g., one or more components) of device 500 may perform one or more functions described as being performed by another set of components of device 500.

Although the disclosure has been described in detail for the purpose of illustration based on what is currently considered to be the most practical and non-limiting embodiments or aspects, it is to be understood that such detail is solely for that purpose and that the disclosure is not limited to the disclosed embodiments or aspects, but, on the contrary, is intended to cover modifications and equivalent arrangements that are within the spirit and scope of the appended claims. For example, it is to be understood that the present disclosure contemplates that, to the extent possible, one or more features of any embodiment or aspect may be combined with one or more features of any other embodiment or aspect. 

What is claimed is:
 1. A system comprising a first computing device programmed or configured to: communicate a first input of an n-party computation to a trusted execution environment (TEE); receive, from the TEE, at least one first encrypted output comprising a first function output of the n-party computation encrypted with at least one public key of at least one other computing device, the first function output of the n-party computation determined based on the first input and at least one second input from the at least one other computing device; post the at least one first encrypted output on at least one blockchain accessible by the at least one other computing device, the at least one first encrypted output being decryptable using at least one private key of the at least one other computing device to obtain the first function output of the n-party computation; in response to posting the at least one first encrypted output on the at least one blockchain, receive at least one first proof of publication; communicate the at least one first proof of publication to the TEE; receive the first function output of the n-party computation from the TEE; communicate a witness of a witness encryption scheme to the TEE; receive at least one second encrypted output comprising a second function output encrypted with the at least one public key of the at least one other computing device, the second function output determined based on the first input, the at least one second input, and the witness; post the at least one second encrypted output on the at least one blockchain, the at least one second encrypted output being decryptable using the at least one private key to obtain the second function output; in response to posting the at least one second encrypted output on the at least one blockchain, receive at least one second proof of publication; communicate the at least one second proof of publication to the TEE; and receive the second function output from the TEE.
 2. The system of claim 1, wherein the first computing device and the at least one other computing device are permissioned by a consortium to access the at least one blockchain, and wherein the first computing device and the at least one other computing device have different levels of permission to access the at least one blockchain.
 3. The system of claim 2, wherein the first computing device is configured with at least read access and write access to the at least one blockchain, and the at least one other computing device is configured with at least read access to the at least one blockchain.
 4. The system of claim 1, wherein the first function output comprises a signature of a data object generated based on the first input and the at least one second input, wherein the first input comprises a first signature key associated with the first computing device and the at least one second input comprises at least one second signature key associated with the at least one other computing device.
 5. The system of claim 1, wherein the first computing device is configured to communicate with the TEE in a first secure communication channel, in which only the TEE is permitted to read communications from the first computing device to the TEE.
 6. The system of claim 1, wherein the at least one other computing device comprises a second computing device and a third computing device, wherein the at least one second input comprises an input from the second computing device and an input from the third computing device, and wherein the first function output of the n-party computation is determined based on the first input, the input from the second computing device, and the input from the third computing device.
 7. The system of claim 6, wherein the at least one public key comprises a public key of the second computing device and a public key of the third computing device, wherein the at least one second encrypted output comprises the second function output encrypted with the public key of the second computing device and the public key of the third computing device, and wherein the second function output is determined based on the first input, the input of the second computing device, the input of the third computing device, and the witness.
 8. A computer program product comprising a non-transitory computer-readable medium storing program instructions configured to cause at least one processor of a first computing device to: communicate a first input of an n-party computation to a trusted execution environment (TEE); receive, from the TEE, at least one first encrypted output comprising a first function output of the n-party computation encrypted with at least one public key of at least one other computing device, the first function output of the n-party computation determined based on the first input and at least one second input from the at least one other computing device; post the at least one first encrypted output on at least one blockchain accessible by the at least one other computing device, the at least one first encrypted output being decryptable using at least one private key of the at least one other computing device to obtain the first function output of the n-party computation; in response to posting the at least one first encrypted output on the at least one blockchain, receive at least one first proof of publication; communicate the at least one first proof of publication to the TEE; receive the first function output of the n-party computation from the TEE; communicate a witness of a witness encryption scheme to the TEE; receive at least one second encrypted output comprising a second function output encrypted with the at least one public key of the at least one other computing device, the second function output determined based on the first input, the at least one second input, and the witness; post the at least one second encrypted output on the at least one blockchain, the at least one second encrypted output being decryptable using the at least one private key to obtain the second function output; in response to posting the at least one second encrypted output on the at least one blockchain, receive at least one second proof of publication; communicate the at least one second proof of publication to the TEE; and receive the second function output from the TEE.
 9. The computer program product of claim 8, wherein the first computing device and the at least one other computing device are permissioned by a consortium to access the at least one blockchain, and wherein the first computing device and the at least one other computing device have different levels of permission to access the at least one blockchain.
 10. The computer program product of claim 9, wherein the first computing device is configured with at least read access and write access to the at least one blockchain, and the at least one other computing device is configured with at least read access to the at least one blockchain.
 11. The computer program product of claim 8, wherein the first function output comprises a signature of a data object generated based on the first input and the at least one second input, wherein the first input comprises a first signature key associated with the first computing device and the at least one second input comprises at least one second signature key associated with the at least one other computing device.
 12. The computer program product of claim 8, wherein the program instructions cause the at least one processor to communicate with the TEE in a first secure communication channel, in which only the TEE is permitted to read communications from the at least one processor to the TEE.
 13. The computer program product of claim 8, wherein the at least one other computing device comprises a second computing device and a third computing device, wherein the at least one second input comprises an input from the second computing device and an input from the third computing device, and wherein the first function output of the n-party computation is determined based on the first input, the input from the second computing device, and the input from the third computing device.
 14. The computer program product of claim 13, wherein the at least one public key comprises a public key of the second computing device and a public key of the third computing device, wherein the at least one second encrypted output comprises the second function output encrypted with the public key of the second computing device and the public key of the third computing device, and wherein the second function output is determined based on the first input, the input of the second computing device, the input of the third computing device, and the witness.
 15. A computer program product comprising a non-transitory computer-readable medium storing program instructions configured to cause at least one processor associated with a trusted execution environment (TEE) to: receive a first input from a first computing device and at least one second input from at least one other computing device; generate a first function output of an n-party computation based on the first input and the at least one second input; encrypt the first function output of the n-party computation using at least one public key of the at least one other computing device to produce at least one first encrypted output; communicate the at least one first encrypted output to the first computing device; receive, from the first computing device, at least one first proof of publication associated with the at least one first encrypted output being posted to at least one blockchain accessible by the at least one other computing device; in response to receiving the at least one first proof of publication from the first computing device, communicate the first function output of the n-party computation to the first computing device; receive a witness of a witness encryption scheme from the first computing device; generate a second function output based on the first input, the at least one second input, and the witness; encrypt the second function output using the at least one public key to produce at least one second encrypted output; communicate the at least one second encrypted output to the first computing device; receive, from the first computing device, at least one second proof of publication associated with the at least one second encrypted output being posted to the at least one blockchain; and in response to receiving the at least one second proof of publication from the first computing device, communicate the second function output to the first computing device.
 16. The computer program product of claim 15, wherein the program instructions further cause the at least one processor to: receive, from the at least one other computing device, the at least one first proof of publication; and in response to receiving the at least one first proof of publication from the at least one other computing device, communicate the first function output of the n-party computation to the at least one other computing device.
 17. The computer program product of claim 15, wherein the program instructions further cause the at least one processor to: receive, from the at least one other computing device, the at least one second proof of publication; and in response to receiving the at least one second proof of publication from the at least one other computing device, communicate the second function output to the at least one other computing device.
 18. The computer program product of claim 15, wherein the first function output comprises a signature of a data object generated based on the first input and the at least one second input, wherein the first input comprises a first signature key associated with the first computing device and the at least one second input comprises at least one second signature key associated with the at least one other computing device.
 19. The computer program product of claim 15, wherein the program instructions cause the at least one processor to communicate with the first computing device in a first secure communication channel, in which only the first computing device is permitted to read communications from the at least one processor to the first computing device.
 20. The computer program product of claim 15, wherein the program instructions cause the at least one processor to communicate with the at least one other computing device in at least one other secure communication channel, in which only the at least one other computing device is permitted to read communications from the at least one processor to the at least one other computing device. 